X.509 at theX.509 at theUniversity of MichiganUniversity of Michigan

CIC-RPG Meeting June 7, 1999CIC-RPG Meeting June 7, 1999Kevin Coffman Kevin Coffman (kwc@umich.edu)(kwc@umich.edu)

Bill Doster Bill Doster (billdo@umich.edu)(billdo@umich.edu)

Project GoalsProject Goals

Transparent Web AuthenticationTransparent Web Authentication Eliminate password promptsEliminate password prompts Lotus Notes AuthenticationLotus Notes Authentication Position for inter-institution Position for inter-institution

AuthenticationAuthentication

Non-GoalsNon-Goals

Not a complete PKINot a complete PKI Not to be used for document Not to be used for document

signingsigning Not to be used for encryptionNot to be used for encryption Not a complete replacement of the Not a complete replacement of the

current cookie methodcurrent cookie method

Why X.509?Why X.509?

An accepted standardAn accepted standard Application support out of the boxApplication support out of the box

– Web servers, web browsers, directory Web servers, web browsers, directory servers, IMAP servers, etc.servers, IMAP servers, etc.

Allows the possibility for inter-Allows the possibility for inter-institution authenticationinstitution authentication

No need for N²-1 cross-realm trustsNo need for N²-1 cross-realm trusts

DescriptionDescription

Use short-term (approximately 1 Use short-term (approximately 1 day) certificates - “Junk Keys”day) certificates - “Junk Keys”

Obtain certificates securelyObtain certificates securely For Authentication ONLY! For Authentication ONLY! Use OpenSSL for creating and Use OpenSSL for creating and

signing certificatessigning certificates

Why “Junk Keys”?Why “Junk Keys”?

Revocation becomes a non-issueRevocation becomes a non-issue Private Key storage is less an issuePrivate Key storage is less an issue Certificate publication for sharing Certificate publication for sharing

is not necessaryis not necessary Certificate management is less Certificate management is less

criticalcritical

DrawbacksDrawbacks

Cannot be used for signing or Cannot be used for signing or encryptionencryption

Not possible to verify certificate via Not possible to verify certificate via LDAPLDAP

Options for obtaining theOptions for obtaining theCA’s CertificateCA’s Certificate

Bake it into browsers we distributeBake it into browsers we distribute Via a web interface using SSL and Via a web interface using SSL and

Verisign CertificateVerisign Certificate Store it in the file-systemStore it in the file-system

Obtaining CAObtaining CACertificate via WebCertificate via Web

CAApache + OpenSSL

+ Scripts+ Verisign Certificate

BrowserNetscape or

Internet Explorer Certificate

Green lines imply SSL Protected

Options for obtaining theOptions for obtaining theUser CertificateUser Certificate

Via a web-based interface [ Via a web-based interface [ SSLSSL ] ] Pam / Gina / Login [ TGT or SSL ]Pam / Gina / Login [ TGT or SSL ] Standalone program [ TGT Standalone program [ TGT (or SSL)(or SSL) ] ] Leave it up to application [ TGT Leave it up to application [ TGT (or (or

SSL)SSL) ] ]

Obtaining User Certificate Obtaining User Certificate via Web (Netscape)via Web (Netscape)

User selects URLID and password??

ID and password

• Lookup full name• Lookup Entity ID• Generate andSign Certificate

Verify identity

keyGen

Public Key

Signed Certificate

Generate key pair

and store keys

Store Certificate

Netscape Browser Web server / CA

Obtaining User Certificate Obtaining User Certificate via Web (IE part 1)via Web (IE part 1)

User selects URL

ID ??

Send a VBScriptasking foruser’s unique ID

ieReq.pl

Web server / CAInternet Explorer Browser

Obtaining User Certificate Obtaining User Certificate via Web (IE part 2)via Web (IE part 2)

password ??

ieGenReq.pl

Web server / CAInternet Explorer Browser

ID (uniqname)• Lookup full name• Lookup Entity ID• Generate VBScriptto create key pairand PKCS #10request

Run VBScript togenerate key pair

and PKCS #10 request

Obtaining User Certificate Obtaining User Certificate via Web (IE part 3)via Web (IE part 3)

PKCS #7

• Check password• Generate certificate and wrap it in PKCS #7 format• Generate VBScript to accept PKCS #7

ieTreatReq.pl

Web server / CAInternet Explorer Browser

password +PKCS #10

Run VBSript toaccept PKCS #7

Phew! Done!

Obtaining User Certificate Obtaining User Certificate via Standalone Pgm via Standalone Pgm

(Netscape)(Netscape)

public key

signed certificate

Client Machine Certificate Authority

getcert

keyutil certutil

key3.db cert7.db

• Lookup full name• Lookup Entity ID• Generate and signcertificate

Orange lines imply Kerberized exchange

Obtaining User Certificate Obtaining User Certificate via Standalone Program via Standalone Program

(IE)(IE)

signed certificate

Certificate AuthorityClient Machine

Use OpenSSL togenerate key pair public key

• Store key pair• Store certificate

• Lookup full name• Lookup Entity ID• Generate and signcertificate

Storing the CertificatesStoring the Certificates

How to destroy the certificates after How to destroy the certificates after use?use?

NT 4.0 w/SP3 and later has special NT 4.0 w/SP3 and later has special storage classes that lives only for storage classes that lives only for the life of a loginthe life of a login

Make use of Kerberos credential Make use of Kerberos credential storage?storage?

Internet Explorer vs. NetscapeInternet Explorer vs. Netscape

ProblemsProblems

Documentation - Flood or DroughtDocumentation - Flood or Drought Macintosh support lags other Macintosh support lags other

platformsplatforms

Current StatusCurrent Status

Internet Explorer (Windows only) Internet Explorer (Windows only) looks promisinglooks promising

Netscape (Windows, Solaris) do-Netscape (Windows, Solaris) do-able but not cleanable but not clean

Macintosh support does not Macintosh support does not currently look promising for either currently look promising for either browserbrowser

ReferencesReferences

This presentation:This presentation:– http://www.citi.umich.edu/u/kwc/Presentations/http://www.citi.umich.edu/u/kwc/Presentations/

X509June1999X509June1999

OpenSSL:OpenSSL:– http://www.openssl.org/http://www.openssl.org/

Netscape Security Services:Netscape Security Services:– http://home.netscape.com/nss/v1.2/index.htmlhttp://home.netscape.com/nss/v1.2/index.html

Microsoft CryptoAPI:Microsoft CryptoAPI:– http://www.microsoft.com/security/tech/CryptoAPI/default.asphttp://www.microsoft.com/security/tech/CryptoAPI/default.asp

?? Questions / ?? Questions / Discussion ?? Discussion ??